Not a user yet?
Log in Register for free Suggest a product
Update

USN-7977-1: Git LFS vulnerabilities

Ubuntu ServerUbuntu Server
Canonical

Packages
git-lfs - Command line extension and spec for managing large files with Git

Details
Ryota K discovered that Git LFS may leak login credentials in certain
instances due to failing to check for URL-encoded characters. An
attacker could possibly use this issue to learn sensitive information.
(CVE-2024-53263)

It was discovered that Git LFS could have its git lfs checkout and
git lfs pull commands abused to write to any file on a user’s
system. An attacker could possibly use this issue to execute arbitrary
code. This issue was only addressed in Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-26625)

Update instructions
In general, a standard system update will make all the necessary changes.

The problem can be corrected by updating your system to the following package versions:

25.10 questing

  • git-lfs – 3.6.1-1ubuntu0.1
  • golang-github-git-lfs-git-lfs-dev – 3.6.1-1ubuntu0.1

24.04 LTS noble

  • git-lfs – 3.4.1-1ubuntu0.3+esm2
  • golang-github-git-lfs-git-lfs-dev – 3.4.1-1ubuntu0.3+esm2

22.04 LTS jammy

  • git-lfs – 3.0.2-1ubuntu0.3+esm2
  • golang-github-git-lfs-git-lfs-dev – 3.0.2-1ubuntu0.3+esm2

20.04 LTS focal

  • git-lfs – 2.9.2-1ubuntu0.1~esm2

18.04 LTS bionic

  • git-lfs – 2.3.4-1ubuntu0.1~esm1
More updatesTo the product
The manufacturer Canonical has not yet set up its devicebase profile. Content such as updates, compatibilities and support may only be maintained with a delay.
Receive Important Update Messages Stay tuned for upcoming Canonical updates

More from the Operating Systems section

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad